Lenovo recently announced that the SuperFish software, which came pre-installed on their consumer-grade devices, needed to be removed from every system. Logically, many were asking what the intent of the software was and why it needed to be removed.
The lowdown on the SuperFish software
The SuperFish software is a textbook example of adware, a type of malware that displays advertisements on your computer and collects your data without your consent. Unlike other variants of adware that spam the system with advertisements, SuperFish was designed to replace these spam ads with more suitable, relevant ads even though they still might not be desired by the user.
Typically, adware can’t operate when it tries to access webpages protected by an HTTPS connection because those sites are encrypted. This includes webpages for online banking, e-commerce sites, and even Google and Facebook. But the SuperFish software takes a different approach with protected sites, and that’s where the problem starts.
When the SuperFish software is installed on a system and the user attempts to access an HTTPS-protected webpage, the request is intercepted via an internal proxy. The software then decrypts the traffic and re-encrypts it using its own self-signed encryption certificate. While SuperFish had good intentions, it ultimately had significantly adverse results.
The problem is that the software uses the same private key on every system it’s installed on. This means that anyone with the software (rather, anyone with just the key itself) can intercept and decrypt encrypted traffic, allowing them access to sensitive banking information and other data protected by SuperFish-signed HTTPS connection. For example, someone at a local Starbucks could potentially set up their system as a Wi-Fi hotspot using the same name as the Starbucks network and then copy and decrypt information transmitted by any user running the SuperFish software.
Additionally, according to the Microsoft Security Response team, the security certificate included with SuperFish can also be used to sign malware executables to obfuscate their malicious intentions and masquerade as legitimate files. For more information on this, see here.
What to do now
The first step to take is to determine if your device or your clients’ devices came with the pre-installed software. Business-grade Lenovo devices like the ThinkPad do not have the software. Only consumer-grade Lenovo PCs purchased in September 2014 and later, including the G, U, Y, Z, S, Flex, MIIX, and YOGA Series, have the preloaded software. If you or your clients have these series of PCs, instructions for removal can be found here. Lenovo also now offers its own removal tool, but it only removes the certificate and shuts down the attack vector—the actual SuperFish software and settings are left intact on the user’s system.
If you don’t have a Lenovo consumer-grade laptop, you can take a few proactive steps to ensure your system is otherwise protected from adware. First and foremost, always make sure you and your customers are aware of any prevalent types of malware. Also, regularly run antimalware scans using programs like Malwarebytes Anti-Malware, SUPERAntiSpyware, and Lavasoft’s Ad-Adware. If you’re unsure if you’re affected by SuperFish, visit one of these sites to test your system: LastPass Superfish Checker or the SuperFish vulnerability test.
How this affects managed service providers
IT service providers with customers who offer a bring-your-own-device policy to their employees are particularly at risk to the threat. We recommend checking in with your customers and running tests on their systems (using the sites listed above). And if you find that a customer is using a Lenovo device with the SuperFish software, immediately remove the software from the system using the instructions above.
As always, we recommend you use antimalware software, run regular malware scans on your devices, and educate your users on the warning signs of a malware infection.